Secretary of State 

SxATE OF Indiana 


COTnTNIE LAWSON 
Secretary of State 

July 12, 2018 

Brian Newby, Executive Director 
U.S. Election Assistance Commission 
1335 East-West Highway, Suite 4300 
Silver Spring, MD 20910 

Re: Indiana HAVA Cybersecurity Program Narrative 

Dear Mr. Newby; 

This letter provides a narrative of Indiana’s plan to spend the 2018 HAVA Elections Security Grant Funds 
and the investments Indiana has expended out of the Indiana Secretary of State’s office (INSOS) to 
qualify for the required matched funds. To prepare this narrative, INSOS surveyed local election officials 
and Indiana vendors to identify challenges and opportunities to secure and improve Indiana’s election 
security cyber posture. 

We appreciate the release of $7,595,088 additional HAVA funds, which will be used to continue Indiana’s 
investment in election security, 

Assessment of Indiana's Cvbersecuritv Profile: 

Since the 2016 election, Indiana has been working to modernize and maximize security through the 
implementation of cybersecurity projects across the Statewide Voter Registration System (SVRS) and the 
election infrastructure. Indiana has partnered with the U.S. Department of Homeland Security (DHS) and 
Multi State Information and Analysis Center (MS-ISAC) to assess risk and vulnerabilities, develop best 
practices, and provide access to 24/7 security information, threat notifications, and security advisories. 
Additionally, the Indiana Executive Council for Cybersecurity was established by Governor Holcomb in 
January 2017 to form an understanding of Indiana's cyber risk profile, identify priorities, establish a 
strategic framework of Indiana's cybersecurity initiatives, and leverage strategic cybersecurity 
partnerships across the public and private sector. 

In 2017, INSOS implemented many cybersecurity improvements, which included cybersecurity training at 
the county and state level that covered spear phishing, implementation of security enhancements to 
improve password protections, hardening the validation protocols required for user access, 
implementation of multifactor authentication protocols, and migrated to a new hosting environment with 
added security features. Indiana expanded its cyber footprint in 2018 through the sharing of election 
cybersecurity best practices to local election officials, conducted a risk and vulnerability assessment 
across the election infrastructure and piloted a risk limiting audit in our state's largest county to validate 
optical scan voting tabulation systems. Indiana also partnered with MS-ISAC to install an Albert Sensor, a 
network monitoring solution that provides automated alerts of network threats enabling Indiana to respond 
quickly when data may be at risk. 

Additional Indiana election security practices include mandatory public testing of voting equipment by 
local election officials before each election in which the equipment will be used and required state 
laboratory testing and certification for the implementation and usage of voting system hardware and 
software. In 2018, Indiana became one of the first states to pass legislation to restrict the transfer of 
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voting systems so the systems can only be sold or resold for official use, preventing hackers' access to 
machines, and permitting a county election board to apply to INSOS for reimbursement of expenditures to 
secure and monitor facilities where voting systems and electronic poll books are stored. 

Planned Actions for Preparation of the 2018 Midterm Elections: 

Because Indiana was already working to harden the election infrastructure, current investment costs total 
$658,961, which exceeds Indiana’s state match requirement by $279,207. We fully understand that 
Indiana's expenditure of $658,961 exceeds the amount required for the 5% match ($379,754), and no 
additional federal funding will be available as a result of our additional qualifying expenditures. The 
following actions are planned or underway, we will: 

1. Partner with the Indiana National Guard and Incident Response Cybersecurity Committee to 
establish incident response plans through table-top exercises and incident response plan testing; 

2. Continue partnership with DHS to evaluate additional Albert Sensor installations at the county or 
state level and evaluate DHS Risk and Vulnerability Assessment findings in order to implement 
improvement opportunities; 

3. Assess technology and timing options to expand the Indiana multifactor authentication pilot 
project to all 92 counties, after piloting a token authentication project for ten counties in the 2018 
Primary Eiection; 

4. Evaluate election purposed computers (laptops or desktops) or virtual machines to harden 
election system network connections and replace unsupported operating systems or internet 
browsers; 

5. Evaluate electronic poll book vendor controls, software and patch updates, and security 
protocols; 

6. Evaluate election night reporting systems to identify improvement opportunities for data entry 
authentication, data backups, and intrusion detection; 

7. Conduct third-party penetration testing of SVRS, electronic poll books, and other related election 
system infrastructure; 

8. Implement SVRS security scans for file uploads for all users; and 

9. Implement email encryption and digital signatures for file transfers and transmission of election 
data. 

Pianned Usage of the 2018 HAVA Elections Security Grant Funds in 2019: 

Indiana will implement the following projects based on the system and evaluation outcomes identified in 

2018, and the avaiiabiiity of the 2018 HAVA Elections Security Grant Funds: 

1. Statewide multifactor authentication expansion; 

2. Replacement or additional purchases of computers with supported operating systems and 
internet browsers for county usage to election systems; 

3. Implementation of electronic poll book vendor network security enhancements; 

4. Deployment of auditable voting systems; and 

5. Election night reporting security enhancements. 
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The Secretary of State's office will develop a grant funding program to fund opportunities for local election 
officials for election systems upgrades and additional security needs. These funds can be used to; 

1. Enhance election technology and security by purchasing or upgrading election systems; 

2. Reimburse counties for physical security improvements; 

3. Facilitate cybersecurity training to state and county officials; and 

4. Contract with cyber navigators who can conduct cybersecurity assessments and identify 
recommendations to counties for security improvements. 

The Secretary of State's office will coordinate and plan with the Indiana General Assembly for future 
replacement of voting equipment since the required budget to replace direct-recording electronic voting 
machines without a voter-verified paper traii requires a larger amount than the available 2018 HAVA 
Elections Security Grant Funds. 

If other funding is appropriated by Congress or the Indiana General Assembly, Indiana plans to use a 
majority of the funds to replace or purchase election systems at the county level. 

The plans described in this narrative are subject to change, based on additional security assessments 
and evaluations, and as funds for cybersecurity improvements are made available to Indiana counties. 
Indiana will update the U.S, Election Assistance Commission if project plans change and as the program 
develops, 


Sincerely, 



Connie Lawson 
Indiana Secretary of State 
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2018 HAVA ELECTION SECURITY GRANT 

Budget Information 

CFDA # 90.404 Non-Construction Program 

Name of Organization: 

Budget Period Start: 

Budget Period End: 

State of Indiana 

3/23/2018 

5/3/2019 

SECTION A- BUDGETSUMIV 

FEDERAL & NON- 

(Consolidated Budget for total project term- 
=EDERAL FUNDS (Match) up to 5 years as defined by grantee) 

PROGRAM CATEGORIES 

BUDGET CATEGORIES 

(a) Voting 
Equipment 

(b) Election 
Auditing 

(c ) Voter 
Registration 
Systems 

(d) Cyber Security 

(e) Communications 

(f) other 

(g) Other 

TOTALS 

% Fed Total 

1. PERSONNEL (including fringe) 








$ 

0% 

2. EQUIPMENT 



$ 240,000.00 


S 200,000.00 



$ 440,000.00 

6% 

3. SUBGRANTS- to local voting jurisdictions 








$ 

0% 

4. TRAINING 





S 400,000.00 



$ 400,000.00 

5% 

5. All OTHER COSTS 



$ 125,000.00 

S 6,630,088.00 




$ 6,755,088.00 

89% 

6. TOTAL DIRECT COSTS (1-6) 

s 

$ 

$ 365,000.00 

S 6,630,088.00 

S 600,000.00 

s 

$ 

$ 7,595,088.00 


7. INDIRECT COSTS (if applied) 








$ 

0% 

8. Total Federal Budget 

$ 

$ 

$ 365,000.00 

$ 6,630,088.00 

$ 600,000.00 

$ 

$ 

$ 7,595,088.00 


11. Non-Federal Match 

$ 

$ 39,000.00 

$ 172,754.00 

S 168,000.00 

s 

s 

$ 

$ 379,754.00 


12. Total Program Budget 

$ 

$ 39,000.00 

$ 537,754.00 

$ 6,798,088.00 

$ 600,000.00 

$ 

$ 

$ 7,974,842.00 


13. Percentage By Category 

0% 

0% 

5% 

87% 

8% 

0% 

0% 






Proposed State Match 

5.0% 




A. Do you have an Indirect Cost Rate Agreement approved by the Federal government or 
some other non-federal entity? 

If yes, please provide the following information: 

B. Period Covered by the Indirect Cost Rate Agreement (mm/dd/yyyy-mm/dd/yyy): 

No 

N/A 



C. Approving Federal agency: 

D. If other than Federal agency, please specify: 

E. The Indirect Cost Rate is: 

N/A 


N/A 

N/A 
























































